Probably a Connection Tracking bug
Posted: 08 Feb 2008, 17:54
Csf v3.06 (generic)
It seems Lfd bans each IP 2 times in about 40 seconds one after another.
e.g. this log:
Fri Feb 8 15:47:26 2008 lfd: (CT) IP 81.174.65.77 found to have 186 connections - *Blocked in csf* for 10800 secs
Fri Feb 8 15:47:26 2008 lfd: (CT) alert email sent for 81.174.65.77
Fri Feb 8 15:48:07 2008 lfd: (CT) IP 81.174.65.77 found to have 109 connections - *Blocked in csf* for 10800 secs
Fri Feb 8 15:48:07 2008 lfd: (CT) alert email sent for 81.174.65.77
and it actually adds the IP to iptables 2 times and send 2 emails.
CT configuration:
CT_LIMIT = "100"
CT_INTERVAL = "50"
CT_EMAIL_ALERT = "1"
CT_PERMANENT = "0"
CT_BLOCK_TIME = "10800"
CT_SKIP_TIME_WAIT = "0"
CT_STATES = ""
Do you think this is a bug? or a too low checking interval?
Thanks,
-Vano
It seems Lfd bans each IP 2 times in about 40 seconds one after another.
e.g. this log:
Fri Feb 8 15:47:26 2008 lfd: (CT) IP 81.174.65.77 found to have 186 connections - *Blocked in csf* for 10800 secs
Fri Feb 8 15:47:26 2008 lfd: (CT) alert email sent for 81.174.65.77
Fri Feb 8 15:48:07 2008 lfd: (CT) IP 81.174.65.77 found to have 109 connections - *Blocked in csf* for 10800 secs
Fri Feb 8 15:48:07 2008 lfd: (CT) alert email sent for 81.174.65.77
and it actually adds the IP to iptables 2 times and send 2 emails.
CT configuration:
CT_LIMIT = "100"
CT_INTERVAL = "50"
CT_EMAIL_ALERT = "1"
CT_PERMANENT = "0"
CT_BLOCK_TIME = "10800"
CT_SKIP_TIME_WAIT = "0"
CT_STATES = ""
Do you think this is a bug? or a too low checking interval?
Thanks,
-Vano